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Information Commissioner's Office 


Management Board minutes 
Monday 2 November 2015 


Members and other attendees present 


Ailsa Beaton Non-executive Director 

Louise Byers Head of Good Practice 

Christopher Graham Information Commissioner (chair) 
David Smith Deputy Commissioner Data Protection 
Ian Watmore Non-executive Director 

Nicola Wood Non-executive Director 

Peter Bloomfield Senior Corporate Governance Manager 


(secretariat) 


1. Introductions and apologies 


1.1. There were apologies from Simon Entwisle, Deputy 
Commissioner and Deputy Chief Executive Officer, who was 
unable to attend the meeting. 


2. Declaration of interests 
2.1. There were no interests declared. 


3. Matters arising from the previous meeting 


3-1; The minutes of the meeting of 27 July had been agreed 
by correspondence and were presented for information. 
Action points were for clearance if possible. 


3.2. Christopher Graham confirmed that Ailsa Beaton would 
be chairing the Remuneration Committee which was meeting 
next week. 


3:3: The action point for Simon Entwisle to consider the 
ICO’s automated response to self reported breaches 
remained outstanding. It was agreed that Simon Entwisle 
would discuss the matter with Nicola Wood outside the 
meeting. 


Action point 1: Simon Entwisle and Nicola Wood to 
discuss the adequacy of the automated response to self 
reported breaches. 


3.4. It was confirmed that the Board’s expectation was that 
action points and decisions shown on the decision log would 
be cleared to schedule. 


Action point 2: Christopher Graham to remind Senior 
Management Team members of the need to ensure that 
action points and decisions are cleared to agreed 
deadlines. 


4. Commissioner’s forward look 


4.1. Christopher Graham provided an update on the major 
issues affecting the ICO. In particular he provided feedback 
on the International Conference of Data Protection and 
Privacy Commissioners held recently in Amsterdam. In 
addition the new Minister with responsibility for Data 
Protection Policy and sponsorship of the ICO at the DCMS 
would be visiting the Wilmslow office shortly. 


4.2. The role of the ICO in providing advice to both members 
of the public and other data controllers following IT security 
breaches was discussed. The priority was to be able to push 
the public towards the expert advice they needed. At the 
same time the ICO also needed a clear idea as to what 
information it could usefully provide data controllers about 
any lessons learnt from particular breaches and subsequent 
investigations. 


Action point 3: Christopher Graham and Simon Entwisle 
to discuss the resources and structure of the 
Enforcement Team in light of the increasing number of 
breaches. 


4.3. The process to recruit the next Commissioner was 
expected to start shortly. The ICO would publicise the 
process and members of the Board were similarly encouraged 
to do so. 


Action point 4: Christopher Graham to check with the 
DCMS on the nature of the recruitment pack and on the 
selection panel membership. 


4.4. The risk register was also discussed as part of this 
agenda item. Whilst it had been updated to reflect recent 
changes, for example in sponsorship department, it was 
recognised that the risks were dated and needed reviewing. 
The register would be brought to the Senior Management 
Team shortly for review. The Board suggested that it would 


be useful if the Senior Management Team could consider 
inclusion of a specific reputational risk for the ICO. 


4.5. The risk of further reductions in grant in aid, for 
freedom of information work, was noted, along with the need 
to continue work on researching possible changes to the data 
protection registration fee income. 


5. Future Management Board arrangements 


5:1; The Board was asked to confirm its composition and 
working arrangements following the recent changes to the 
ICO’s management structure. It was agreed that the Board 
would continue with a membership of the three current non- 
executive directors, Christopher Graham and Simon Entwisle. 
Changes to its terms of reference would reflect this and the 
setting up of the Senior Management Team, but would 
otherwise remain the same. 


Action point 5: Peter Bloomfield to amend the Board 
terms of reference to reflect the recent changes. 


5.2. Senior Management Team members would be invited to 
attend Board meetings for matters related to their areas of 
work. 


6. The handling of allegations of criminal offences 
against ICO staff 


6.1. A procedure had been drafted detailing the steps the 
office would take if allegations were made against ICO staff 
of criminal activity under the Freedom of Information Act and 
the Data Protection Act. There was a need to ensure 
transparency of process as the ICO was the prosecuting 
authority for such offences and would, in effect, be making 
decisions about whether to prosecute its own staff. There was 
therefore a need to ensure that the person against whom 
allegations were made was not in a position to influence 
decisions. 


6.2. The role of the chair of the Audit Committee was 
discussed. It was clarified that their role was not to 
investigate, or to appoint the investigating officer; rather it 
was to support the investigating officer if required. 


6.3. There was also discussion as to what the test was when 
deciding if there was evidence of a crime and the matter 
needed referring to the Police. 


6.4. The procedure was confirmed. 


7. Notification fee research 


Pel; Louise Byers updated the Board on research into the 
proportion of data controllers in particular sectors which paid 
the notification fee, to help identify those sectors where 
compliance with the duty to notify was a problem and steps 
could be taken to improve compliance. Preliminary results 
would be available towards the end of the month. 


7.2. The research might also help inform any decisions as to 
targeting notification amounts on information risk (not just 
the size and turnover of organisations) and the need to 
reflect the new EU DP regulation when implemented in any 
fee collection process. 


7.3. The Board considered it important to have a clear idea 
as to the total number of data controllers which should be 
notified with the Commissioner. 


8. Draft ICO Plan 2016-2019 


8.1. The draft ICO Plan 2016-2019 was presented for 
information. It was based on the current 2015-2018 plan, 
updated to reflect changes in on-going projects and new 
priorities. It was a work in progress which would be 
presented to the DCMS along with a draft budget for 2016/17 
before the end of the calendar year. 


8.2. In respect of the main customer service target (1.1) it 
was asked whether or not the ICO could do better. The 
proposed new target was as for this year. 


9. Performance against the ICO Plan 2015-2018 


9.1. Performance against the current ICO plan is reported 
quarterly, and the report up to the end of September was 
presented for information. 


9.2. The Board questioned why the ICO had not agreed any 
voluntary improvement plans (action 2.3). It was explained 
that other options were possibly more effective in practice. A 
decision would be taken as to whether the option was 
included in the ICO Plan 2016-2019. 


9.3. It was noted that whilst the ICO was executing some 
search warrants in the local area, this did not mean that the 
ICO was restricting in any way its operations geographically. 
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Finances 


T; Louise Byers reported on ICO finances up to the end of 


September. Notification fee income was within 1% of 
expectations, and indicative figures for October indicated that 
this was the case still. The possibility of an underspend 
remained. 


2. The need for capital expenditure next year was raised. 
This year the capital budget had been high, reflecting a need 
to catch up on IT projects in particular. There might not be 
quite the same need for capital expenditure next year but 
much depended on decisions relating to IT strategy. 


3: Ensuring recruitment did not fall behind vacancy levels 
had been a priority this year, to ensure teams were properly 
resourced to do their work. Recruitment had been helped by 
a rise in starting salaries but there were difficulties in 
recruiting in certain specialist posts. 


4. It was noted that the new procurement management 
system had just gone live. 


5. The challenge of recruiting a temporary Head of Finance 
was a concern. 


Action point 6: Simon Entwisle to come to Audit 
Committee in December with details of the actions 
being taken to provide a temporary replacement for 
the Head of Finance. 


Issues reports 


Operations 
.1. The operations report was presented for discussion. The 


headline was that for the third quarter in a row input had 
exceeded output. The risk was that backlogs of casework 
could quickly arise in these circumstances. 


Action point 7: Simon Entwisle and Christopher Graham 
to discuss the risk of backlogs and to report back to 
the January Board on mitigating actions. 


Information rights 
.2. The information rights report was presented for 


information. David Smith drew attention to the trend in both 
the EU and UK courts towards upholding individual privacy 
rights and the impact of this on the ICO’s work. New 
arrangements for ensuring that subject access cases are 
dealt with appropriately had been introduced and he had 
reached agreement with Simon Entwisle on a process for 


12. 


reducing the risk that ICO policy may not fully reflect 
casework decisions. 


Corporate Affairs 
11.3. Similarly the Corporate Affairs report was presented for 


information. It was in a new format. 


Organisational Development 
11.4. Michael Collins, Head of Organisational Development, 


attended for this item. He advised that the 2015 pay rise 
would be paid to staff as part of their November salary, 
backdated to July. The increase met the government 1% cap. 


11.5. The last staff survey had been over a year ago with the 


next survey being planned for 2016. The reason for this was 
that the ICO made use of the Civil Service survey and this 
was biennial. However the Board was concerned that ways of 
measuring staff engagement ought to be more frequent, 
especially as the last survey had been during a period of 
industrial action, and the next planned survey would be 
shortly after the next Commissioner would have been 
appointed. 


Action point 8: Christopher Graham to consider the 
possibility of using pulse surveys to measure staff 
engagement more frequently than biennially and to 
report back to the Board. 


11.6. ACAS were due to undertake a review of the processes 


around the decision to award pay rises to senior managers 
following a re-structure and how these decisions were 
communicated. They were not reviewing the actual decisions. 


11.7. The Board noted a 4.5% non-attendance of ICO staff at 


training courses. The ICO was taking steps to ensure that 
where managers had committed staff to training that this 
commitment was followed through. 


11.8. It was agreed that car parking would be discussed at 


the Remuneration Committee meeting next week. 


Executive Team meetings 


12.1. The minutes of Executive Team meetings, and the one 


Senior Management Team meeting, that had taken place 
since the last Board meeting, were presented for information. 


13. Audit Committee 


13.1. The minutes of the September Audit Committee 


meeting were presented for information. 


14. Any other business 


14.1. This meeting was David Smith’s last management Board 
as he was retiring shortly from his role as Deputy 
Commissioner for Data Protection. Christopher Graham along 
with the other members of the Board thanked David for his 
work and dedication to the data protection community for 
many years. 


